Privacy Cards

v1.0.0

Create and manage Privacy.com virtual cards. Use for generating single-use cards, merchant-locked cards, listing cards, setting spending limits, pausing/closing cards, and viewing transactions via the Privacy.com API.

⭐ 1· 1.3k·0 current·0 all-time

by@johnielee

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The SKILL.md accurately describes Privacy.com card management and shows curl examples against api.privacy.com; that matches the stated purpose. However the registry metadata does not declare the API key (PRIVACY_API_KEY) as a required environment variable or primary credential even though the runtime instructions require it. This mismatch is an incoherence between declared requirements and actual capability.

✓

Instruction Scope

The runtime instructions are narrowly scoped to calling Privacy.com endpoints (create/list/update cards, query transactions, webhook verification). They do not instruct reading unrelated files, system paths, or contacting external endpoints outside the official Privacy.com domains. Examples correctly note sandbox vs production differences.

✓

Install Mechanism

No install spec and no code files are present (instruction-only). This is low-risk from an installation perspective because nothing will be downloaded or written to disk by an installer.

Credentials

The instructions require a PRIVACY_API_KEY (sensitive financial API key) but the registry metadata lists no required env vars or primary credential. Requesting an API key to manage virtual cards is proportionate to the skill's purpose, but omitting that requirement from metadata is a red flag: it makes it unclear how the agent runtime will be authorized or how the key will be supplied/used. The API key grants control over payment instruments and potentially access to transaction data and, with higher privileges, PAN/CVV — so ensure only the minimum-privilege key is used (prefer sandbox for testing).

ℹ

Persistence & Privilege

always:false (normal). The skill is user-invocable and model invocation is allowed (default). While autonomous invocation is standard, pairing autonomous invocation with access to a financial API increases potential impact if the key is provided — verify trust in the skill and owner before granting credentials.

What to consider before installing

This skill's instructions legitimately use Privacy.com APIs, but the package metadata omits the required PRIVACY_API_KEY — that's an internal inconsistency you should question before installing. Do not provide a production API key unless you trust the skill owner. Prefer testing with a sandbox key first, and only grant least-privilege credentials needed. Ask the publisher why the metadata doesn't declare the required env var and whether the skill stores or transmits your key anywhere beyond api.privacy.com. Monitor and rotate keys if you test or use this skill; avoid giving enterprise-level keys that return PAN/CVV unless absolutely necessary.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ca6bzh3t8v8vyf07042693s80jfvb

1.3kdownloads

1stars

1versions

Updated 1mo ago

v1.0.0

MIT-0

Privacy Cards

Manage virtual cards via the Privacy.com API.

Setup

Getting API Access

Sign up for a Privacy.com account
Email support@privacy.com to request API access
Once approved, you'll receive your API key

Configuration

export PRIVACY_API_KEY="your-api-key"

Environments:

Production: https://api.privacy.com/v1
Sandbox: https://sandbox.privacy.com/v1

All requests: Authorization: api-key $PRIVACY_API_KEY

Create a Card

curl -s -X POST "https://api.privacy.com/v1/cards" \
  -H "Authorization: api-key $PRIVACY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "SINGLE_USE",
    "memo": "One-time purchase",
    "spend_limit": 5000,
    "spend_limit_duration": "TRANSACTION"
  }' | jq

Card Types

Type	Behavior
`SINGLE_USE`	Closes after first transaction
`MERCHANT_LOCKED`	Locks to first merchant, reusable there
`UNLOCKED`	Works anywhere (requires issuing access)

Create Parameters

Parameter	Required	Description
`type`	Yes	SINGLE_USE, MERCHANT_LOCKED, UNLOCKED
`memo`	No	Label/description
`spend_limit`	No	Limit in cents
`spend_limit_duration`	No	TRANSACTION, MONTHLY, ANNUALLY, FOREVER
`state`	No	OPEN (default) or PAUSED
`funding_token`	No	Specific funding source UUID

Response

{
  "token": "card-uuid",
  "type": "SINGLE_USE",
  "state": "OPEN",
  "memo": "One-time purchase",
  "last_four": "1234",
  "pan": "4111111111111234",
  "cvv": "123",
  "exp_month": "12",
  "exp_year": "2027",
  "spend_limit": 5000,
  "spend_limit_duration": "TRANSACTION",
  "created": "2024-01-15T10:30:00Z"
}

Note: pan, cvv, exp_month, exp_year require enterprise access in production. Always available in sandbox.

Lookup Transactions

All transactions for a card

curl -s "https://api.privacy.com/v1/transactions?card_token={card_token}" \
  -H "Authorization: api-key $PRIVACY_API_KEY" | jq

Filter by date range

curl -s "https://api.privacy.com/v1/transactions?card_token={card_token}&begin=2024-01-01&end=2024-01-31" \
  -H "Authorization: api-key $PRIVACY_API_KEY" | jq

Filter by result

# Only approved
curl -s "https://api.privacy.com/v1/transactions?result=APPROVED" \
  -H "Authorization: api-key $PRIVACY_API_KEY" | jq

# Only declined
curl -s "https://api.privacy.com/v1/transactions?result=DECLINED" \
  -H "Authorization: api-key $PRIVACY_API_KEY" | jq

Query Parameters

Parameter	Description
`card_token`	Filter by card UUID
`result`	APPROVED or DECLINED
`begin`	On or after date (YYYY-MM-DD)
`end`	Before date (YYYY-MM-DD)
`page`	Page number (default: 1)
`page_size`	Results per page (1-1000, default: 50)

Transaction Response

{
  "token": "txn-uuid",
  "card_token": "card-uuid",
  "amount": -2500,
  "status": "SETTLED",
  "result": "APPROVED",
  "merchant": {
    "descriptor": "NETFLIX.COM",
    "mcc": "4899",
    "city": "LOS GATOS",
    "state": "CA",
    "country": "USA"
  },
  "created": "2024-01-15T14:22:00Z"
}

Transaction Statuses

PENDING → SETTLING → SETTLED

Also: VOIDED, BOUNCED, DECLINED

Quick Reference

List all cards

curl -s "https://api.privacy.com/v1/cards" \
  -H "Authorization: api-key $PRIVACY_API_KEY" | jq

Get single card

curl -s "https://api.privacy.com/v1/cards/{card_token}" \
  -H "Authorization: api-key $PRIVACY_API_KEY" | jq

Pause a card

curl -s -X PATCH "https://api.privacy.com/v1/cards/{card_token}" \
  -H "Authorization: api-key $PRIVACY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"state": "PAUSED"}' | jq

Close a card (permanent)

curl -s -X PATCH "https://api.privacy.com/v1/cards/{card_token}" \
  -H "Authorization: api-key $PRIVACY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"state": "CLOSED"}' | jq

Update spend limit

curl -s -X PATCH "https://api.privacy.com/v1/cards/{card_token}" \
  -H "Authorization: api-key $PRIVACY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"spend_limit": 10000, "spend_limit_duration": "MONTHLY"}' | jq

Common Decline Reasons

Code	Meaning
`CARD_PAUSED`	Card is paused
`CARD_CLOSED`	Card is closed
`SINGLE_USE_RECHARGED`	Single-use already used
`UNAUTHORIZED_MERCHANT`	Wrong merchant for locked card
`USER_TRANSACTION_LIMIT`	Spend limit exceeded
`INSUFFICIENT_FUNDS`	Funding source issue

See references/api.md for complete field documentation.

Comments

Loading comments...